DiGA Certification

We offer advice and support in preparing the necessary documentation for certification as a medical device. Certification is only available for Class I or IIa apps.

Manufacturers must provide the necessary evidence and issue a declaration of conformity. For Class I products, this does not require a notified body (such as TÜV). However, for Class IIa products, a notified body is involved. This body is involved in the conformity assessment procedure and acts as the corresponding testing body in the certification.

Once the app is certified as a medical device, the manufacturer submits an application to the BfArM. We offer assistance and support throughout this process.

The app can be included in the DiGA directory via fast track. The BfArM’s processing time is  three months after receiving the complete application.

The BfArM's review focuses on verifying the product characteristics declared by the manufacturer including data protection, user-friendliness and proof of the positive healthcare effects.

In cases where newly developed apps face challenges in demonstrating these effects, provisional inclusion in the directory is possible. The manufacturer may apply for provisional inclusion and conduct a comparative study within a one-year trial phase, with the possibility of extending it to two years in exceptional cases.

Your app can be included in the DiGA directory if:

• The BfArM determines that the healthcare benefits are sufficiently demonstrated.
• The BfArM approves your application for provisional inclusion.

Aftesuccessful inclusion, each DiGA receives a unique directory number.

We work with you to clarify the following questions when reviewing your concept for inclusion in the DiGA directory:

• Does your digital health application fulfil the requirements of the Digital Health Applications Regulation (DiGAV- Digitale-Gesundheitsanwendungen-Verordnung) in terms of safety, functional suitability and quality?
• Is there a medical benefit for the patient and does it have a positive impact on care?
• Is inclusion in the DiGA directory realistic?

We help you to meet the high requirements that the BfArM places on DiGA without any problems. In the following sections, you will find out how we can provide you with advice and active support.

Data protection and data security requirements

A review of the DiGAV reveals that the requirements for data protection and data security are particularly high. In some cases, these exceed the requirements of existing laws, in particular the European General Data Protection Regulation (GDPR) and the Medical Device Regulation (MDR). This is because patient data, as sensitive data, has a very high level of protection under the GDPR.

Since digital health applications collect patient data, you as the manufacturer of a digital health applications (DiGA) should be familiar with the data protection requirements and pay very close attention to the correct processing of the data right from the start. We can advise you on this and look at your data processing.

Proof of a positive effect on healthcare

The greatest challenge is probably the requirements for proving a positive effect on healthcare. A positive healthcare effect can be a medical benefit or a procedural and structural improvement in healthcare. In any case, the positive effect on care must be proven by means of a comparative and quantitative study.

Information security management system in accordance with ISO 27001 or BSI standard 200-1

From 2022, manufacturers will be obliged to operate an information security management system (ISMS) in accordance with ISO 27001 or BSI Standard 200-1. In addition, medical device manufacturers will be required to obtain a mandatory IT security certificate from the BSI from mid-2022.

Product Safety and Functionality of the digital health application

According to SGB V, distributors of DiGA must prove the product safety and functionality of their digital health application. The CE mark is used as the medical device manufacturer's declaration of conformity for this purpose. This confirms compliance with the quality and safety requirements via a notified body, such as TÜV. As there are liability risks here, you should follow the process carefully.

To be included in the DiGA directory, your digital health application must:

• Be classified as a Class I or IIa device under the MDR
• Have core functionalities based on digital technologies
• Achieve its medical purpose through digital functions
• Significantly aid in detecting, monitoring, treating, or alleviating diseases or injuries
• The app is used by the patient and the healthcare professional

All requirements for a DiGA are defined in Section 33a of the Fifth Book of the German Social Code (SGB V). The Digital Health Applications Regulation (DiGAV) regulates the details of the authorisation procedure.

After market authorisation of your digital health application (DiGA), we support you with market surveillance and operation. For digital health applications to be billed, positive healthcare effects must be proven. On the one hand, this involves medical benefits and, on the other, patient-relevant structural and procedural improvements. As part of the DiGAV, the Federal Ministry of Health (BMG) specifies which criteria can be used to measure the benefits of digital health applications.

As soon as the app has been successfully included in the DiGA directory, the medical device manufacturer has the following obligations. We can also advise you on these obligations:

• Assessment of significant changes to the app in accordance with the DiGAV. If applicable, notification of the change to the BfArM.
• Ensuring that the information in the directory is up-to-date and complete. The change is made by application of the manufacturer to the BfArM.
• Maintenance of the information and distribution platforms linked in the directory, such as the link to the instructions for use.
• Maintaining and improving data protection and information security.
• Control of change.
• Deleting and blocking data that is no longer required.
• Maintaining directories of third-party software used.
• Recognising security-relevant events and proactively preventing them.
• Consideration of requirements from the General Data Protection Regulation.